FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability

Summary

The Fortinet Product Security team has evaluated the impact of the vulnerablity HTTP/2 Rapid Reset Attack, listed below:

CVE-2023-44487:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.
https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Version Affected Solution
FortiOS 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above
FortiProxy 7.4 7.4.0 through 7.4.1 Upgrade to 7.4.2 or above
FortiProxy 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above
FortiProxy 7.0 7.0 all versions Migrate to a fixed release
Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool

FortiSASE: Issue remediated Q3/23

Workaround:
HTTP/2 support with proxy mode with SSL inspection can be removed with the following configuration:
config firewall ssl-ssh-profile
edit
set supported-alpn http1-1
next
end

For VIP:
In FortiOS 7.2.4 - 7.2.6, and 7.4.0:
config firewall vip
edit
set http-supported-max-version http1
next
end

In FortiOS 7.4.1 and later:
config firewall vip
edit
set h2-support disable
next
end

Timeline

2024-02-08: Initial publication